The emails sent by the worm have an empty subject line and no message text. The attached file is called game.exe. The sender address is spoofed (chosen from addresses found on the system).

The worm listens on TCP port 4751 and sends registration information containing this port number to a remote web site. This port can be used by a remote attacker to update the worm. The uploaded file will be dropped as a random EXE filename starting with the string "bsud" into the Windows folder and executed. If the update is successful the original worm file is deleted.